Skip to content

pocketbase

v0.38.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 19d API Development
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

authentication backend go realtime

Affected surfaces

auth breaking_upgrade

ReleasePort's take

Moderate signal
editorial:auto 9d

PocketBase v0.38.1 forces unsetting auth state on password or collection secret changes and adds several UI enhancements.

Why it matters: The release minimizes attack vectors by resetting auth state after credential changes; developers of UI extensions can now use top‑level await experimentally.

Summary

AI summary

Force unsetting auth state on password/collection secret changes minimizes attack vectors.

Changes in this release

Feature Medium

Allow top-level await in experimental UI extensions initialization script.

Allow top-level await in experimental UI extensions initialization script.

Source: llm_adapter@2026-05-21

Confidence: high
Feature Medium

Added error marker for each collection tab and fixed raw errors tooltip styles.

Added error marker for each collection tab and fixed raw errors tooltip styles.

Source: llm_adapter@2026-05-21

Confidence: low
Dependency Medium

Updated modernc.org/sqlite dependency to version 1.50.1 (SQLite 3.53.1).

Updated modernc.org/sqlite dependency to version 1.50.1 (SQLite 3.53.1).

Source: llm_adapter@2026-05-21

Confidence: low
Bugfix Medium

Fixed indexes collection update error (#7689). Includes system migration to normalize all indexes.

Fixed indexes collection update error (#7689). Includes system migration to normalize all indexes.

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Force unset auth state on realtime connections for user password or collection secret changes.

Force unset auth state on realtime connections for user password or collection secret changes.

Source: llm_adapter@2026-05-21

Confidence: low
Full changelog

To update the prebuilt executable you can run ./pocketbase update.

  • Silenced the superuser IPs confirmation if there is no change.

  • Updated the experimental UI extensions APIs to allow top-level await in the initialization script.

  • Force unset the auth state of existing realtime connections on user password, collection secret, etc. changes.
    This is not strictly necessary because the realtime connections have short-lived idle timeout by design but nonetheless it was implemented to minimize the attack vectors.

  • Added error marker for each collection tab and fixed the styles of the raw errors tooltip.

  • Fixed indexes collection update error (#7689).
    ⚠️ The fix comes with a system migration that resaves all collections with indexes to ensure that all indexes are normalized and available in the Collection.Indexes field (it will also include indexes created manually via the sqlite3 cli or other external tool).
    If you are using a test pb_data for your Go automation tests you may want to apply the migration to it too so that it runs only once and not for each execution of your tests, aka. you could run once go run main.go migrate up --dir="/path/to/test_pb_data".

  • Updated modernc.org/sqlite to v1.50.1 (SQLite 3.53.1).

  • Other minor fixes (updated API preview examples, fixed code comment typos, etc.).

Security Fixes

  • Force unset auth state of realtime connections on password or collection secret changes to minimize attack vectors
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track pocketbase

Get notified when new releases ship.

Sign up free

About pocketbase

Open Source realtime backend in 1 file

All releases →

Related context

Beta — feedback welcome: [email protected]